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Abstract 

We  consider  using  trust  information  to  improve  the  anonymity  provided 
by  onion-routing  networks.  In  particular,  we  introduce  a  model  of  trust  in 
network  nodes  and  use  it  to  design  path-selection  strategies  that  minimize 
the  probability  that  the  adversary  can  successfully  control  the  entrance  to 
and  exit  from  the  network.  This  minimizes  the  chance  that  the  adversary 
can  observe  and  correlate  patterns  in  the  data  flowing  over  the  path  and 
thereby  deanonymize  the  user.  We  first  describe  the  general  case  in  which 
onion  routers  can  be  assigned  arbitrary  levels  of  trust.  Selecting  a  strategy 
can  be  formulated  in  a  straigh  forward  way  as  a  linear  program,  but  it  is 
exponential  in  size.  We  thus  analyze  a  natural  simplification  of  path  selection 
for  this  case.  More  importantly,  however,  when  choosing  routes  in  practice, 
only  a  very  coarse  assessment  of  trust  in  specific  onion  routers  is  likely  to 
be  feasible.  Therefore,  we  focus  next  on  the  special  case  in  which  there  are 
only  two  trust  levels.  For  this  more  practical  case  we  identify  three  optimal 
route-selection  strategies  such  that  at  least  one  is  optimal,  depending  on  the 
trust  levels  of  the  two  classes,  their  size,  and  the  reach  of  the  adversary. 
This  can  yield  practical  input  into  routing  decisions.  We  set  out  the  relevant 
parameters  and  choices  for  making  such  decisions. 
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1.  Introduction 

When  designing  or  analyzing  anonymous  communication 
networks,  researchers  generally  assume  that  all  nodes  routing 
traffic  are  equally  trusted.  But  this  typically  is  incorrect.  There 
is  much  information  available  to  those  selecting  routes  that  can 
affect  trust:  information  about  who  runs  some  components  of 
the  infrastructure,  what  computing  platforms  are  used,  how 
long  and  how  reliably  some  components  have  been  running, 
etc.  And  if  routing  designs  were  to  begin  taking  trust  into 
account,  then  even  more  extensive  and  diverse  bases  for  trust 
might  be  available. 

Onion  routing  is  a  type  of  anonymous  communication  that 
creates  cryptographic  circuits  along  an  unpredictable  route 
through  a  network  of  nodes  called  onion  routers  and  passes 
traffic  bidirectionally  along  those  circuits  with  minimal  latency 
[1],  [2],  [3].  An  adversary  observing  an  entry  node  and  an 
exit  node  of  an  onion-routing  network  through  which  one  is, 
e.g.,  browsing  the  web  can  easily  link  the  two  ends  of  the 
connection  and  correlate  source  to  destination.  This  has  been 
an  acknowledged  feature  of  the  design  since  its  inception  [4]. 
Correlation  is  easily  done  with  extremely  high  confidence  by 
passive  timing ,  that  is,  simply  by  observing  the  timing  pattern 
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of  data  entering  the  network  and  of  data  exiting  the  network 
and  matching  incoming  and  outgoing  patterns.  Correlation 
can  also  be  done  with  active  timing ,  where  the  adversary 
inserts  unique  patterns  in  incoming  data  and  observes  where 
they  appear  among  outgoing  data.  It  is  this  vulnerability  of 
onion  routing  circuits  to  hostile  pairs  of  entry  and  exit  nodes 
that  is  our  focus.  There  are  many  documented  attacks  that 
have  some  affect  on  onion  routing — correlation,  congestion, 
intersection,  destination  fingerprinting,  latency,  etc.  None  of 
the  others  have  the  efficiency  or  certainty  that  correlation  does 
when  an  attacker  owns  so  little  of  the  network  (i.e.,  just  one 
entry  node  and  one  exit  node)  and  observes  so  little  traffic. 

Correlation  is,  at  least  in  this  way,  the  most  significant 
unaddressed  problem  for  onion  routing  and  one  that  can 
likely  be  improved  with  trust  knowledge.  (Correlation  could  be 
countered  by  mixing,  padding,  or  other  approaches;  however, 
to  date  no  proposed  countermeasure  has  had  both  low  enough 
overhead  and  high  enough  expectation  of  success  against 
realistic  attackers  to  be  pursued  in  practice.)  This  introduces 
many  questions,  such  as  whether  using  more  trusted  nodes 
helps  profile  or  identify  clients  and  what  to  do  about  that, 
how  to  model  diverse  trust  assumptions,  etc.  But  even  ignoring 
these,  it  is  not  obvious  how  to  take  advantage  of  trust  as  a 
criterion  in  route  selection.  In  particular,  using  trusted  nodes 
more  often  has  the  disadvantage  of  simultaneously  providing 
a  small  set  of  nodes  for  the  adversary  attempt  to  monitor. 
This  paper  is  specifically  focused  on  whether  there  is  a  way 
to  use  trust  to  reduce  the  probability  of  a  circuit  compromise 
by  endpoints. 

Trust  has  many  meanings  and  applications  in  computer 
security  [5],  [6],  [7],  [8],  [9],  [10],  [11],  [12],  Much  of  the 
literature  is  concerned  in  one  way  or  another  with  propagation 
or  transfer  of  trust  from  where  it  is  to  where  it  needs  to  be. 
Our  concern  is  not  with  the  transfer  of  trust  information  but 
with  what  it  means  in  the  context  of  onion  routing  and  how  to 
make  use  of  it.  We  consider  how  trust  associated  with  network 
nodes  or  links  might  be  used  to  protect  (or  reveal)  information 
that  would  undermine  the  anonymity  of  communicants. 

Tor  [13]  is  the  current  widely-deployed  and  used  public 
onion-routing  network,  with  an  estimated  quarter-million  con¬ 
current  users  and  a  few  thousand  network  nodes.  It  is  thus 
useful  to  consider  trust  issues  that  arise  for  this  deployed 
network.  For  example,  a  correlating  adversary  could  try  to 
compromise  nodes  in  the  network.  Because  Tor  nodes  are  run 
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by  volunteers,  however,  an  even  easier  attack  is  to  simply  set 
up  hostile  nodes  and  use  those  to  attack  traffic  on  the  network. 
We  have  already  noted  that  correlation  attacks  are  strong  and 
low  cost.  This  shows  us  that  they  are  also  easy  to  deploy  in 
practice. 

One  way  Tor  reduces  the  threat  of  linking  exit  activity  to 
sources  is  by  use  of  entry  guards,  a  small  number  of  nodes  that 
a  single  client  uses  persistently  to  connect  to  the  Tor  network. 
If  a  client  has  chosen  guard  nodes  that  are  not  compromised, 
it  can  never  be  linked  by  correlation  to  its  activity  by  a  pair 
of  compromised  entry-exit  nodes.  When  entry  guards  were 
introduced  [14],  there  was  a  brief  discussion  of  the  relative 
merits  of  choosing  guards  randomly  versus  based  on  trust 
or  other  features  of  the  guard  nodes.  So  far,  no  one  has 
analyzed  the  implications  of  choosing  nodes  based  on  trust. 
Entry  guards  are  currently  chosen  randomly  from  the  set  of 
Tor  nodes  (subject  to  some  performance  and  other  criteria). 
Abusing  entry-guard  selection  criteria  can  increase  the  chances 
of  a  node  being  chosen  as  an  entry  guard,  especially  if  they 
are  based  on  reliability,  performance,  etc.  rather  than  based 
on  any  sort  of  trust.  Many  of  the  threats  initially  observed 
about  this  ([14],  [15])  are  not  feasible  in  the  current  Tor 
network.  Statistically,  however,  the  percentage  of  all  circuits 
compromised  by  hostile  entry-exit  pairs  is  not  reduced  by  the 
use  of  randomly  chosen  entry  guards,  nor  is  the  probability 
that  any  given  client  will  have  compromised  guards;  it  only 
affects  the  distribution  of  compromised  circuits  over  the  client 
space.  If  one  were  able  to  choose  not  just  guards  but  whole 
routes  from  a  more  trusted  set  of  nodes,  then  one’s  threat  of 
circuit  compromise  might  be  reduced.  We  hope  through  our 
analysis  to  show  how  best  to  add  this  protection  to  Tor  and 
similar  systems. 

In  this  paper  we  first  set  out  a  simple  model  that  should 
facilitate  reasoning  about  using  trust  in  routing.  We  define  trust 
simply  to  be  the  probability  that  an  attempt  by  the  adversary 
to  control  a  node  fails.  We  include  a  roving  adversary  that 
can  attempt  to  compromise  a  certain  number  of  nodes.  Route 
selection  is  modeled  as  a  three-stage  game  in  which  the  user 
first  picks  a  distribution  over  paths,  then  the  adversary  chooses 
a  set  of  nodes  to  attempt  to  compromise,  and  finally  the  user 
samples  a  path  from  his  distribution.  While  we  expect  this 
model  to  bear  further  fruit,  we  use  it  in  this  paper  to  show  a 
number  of  results  of  both  theoretical  and  practical  interest. 

We  consider  various  strategies  for  choosing  first  and  last 
nodes  in  the  network  so  as  to  minimize  the  maximum  probabil¬ 
ity  a  correlating  adversary  has  for  linking  source  to  destination. 
We  first  look  at  the  general  case,  in  which  there  is  an  arbitrary 
number  of  trust  levels.  We  observe  that  a  straightforward 
algorithm  to  calculate  an  optimal  distribution  runs  in  time 
exponential  in  the  size  of  the  adversary.  We  consider  a 
natural  simplification  of  looking  at  distributions  on  individual 
nodes  rather  than  pairs  of  nodes  and  considering  the  product 
distribution  as  an  approximation  of  the  joint  distribution  on 
pairs.  We  find  two  optimal  distributions  over  single  nodes,  but 
we  then  show  that  optimal  distributions  on  pairs  are  arbitrarily 
better  than  products  of  those  optimal  distributions  on  single 


nodes. 

In  practice,  it  is  unlikely  that  one  can  realistically  assign 
many  different  levels  of  trust,  and  so  we  next  consider  restrict¬ 
ing  to  the  case  where  there  are  only  two  trust  levels  for  nodes 
in  the  network.  Here  we  find  three  distributions  and  prove  that 
in  every  case  one  of  them  must  be  optimal.  Lastly,  we  discuss 
determining  in  practice  when  one  of  the  three  distributions 
is  optimal  based  on  the  values  of  the  system  variables:  trust 
values,  size  of  the  trusted  and  untrusted  sets,  and  the  size  of 
the  adversary. 

2.  An  uncompromising  model  of  node  trust 

A  user  wants  to  use  a  network  of  onion  routers  for  anony¬ 
mous  communication.  He  trusts  some  onion  routers  more  than 
others  in  the  sense  that  he  trusts  that  they  are  less  likely  to 
attempt  to  compromise  his  anonymity.  How  should  he  take 
this  trust  into  account  when  he  selects  his  paths? 

2.1.  The  model 


To  make  this  question  concrete,  we  need  to  make  the  notions 
of  trust,  anonymity,  and  an  adversary  precise. 

Let  R  be  the  set  of  routers,  Ii\  =  n.  Let  there  be  an 
adversary  that  is  trying  to  compromise  the  user’s  anonymity. 
The  adversary  selects  k  routers  in  li  that  he  will  attempt  to 
compromise  and  use  for  deanonymization.  If  a  router  is  not 
selected,  it  cannot  be  used  by  the  adversary  in  an  attack. 

When  an  onion  router  i  is  selected,  the  adversary  fails  to 
compromise  it  with  probability  tt.  This  represents  the  user’s 
trust  in  the  router.  It  will  be  convenient  to  define  c,  =  1— f,,  the 
probability  that  the  adversary  does  successfully  compromise 
router  i  when  he  attempts  to  do  so. 

A  user  selects  a  path  for  a  circuit  from  some  probability 
distribution.  If  the  adversary  has  selected  and  successfully 
compromised  the  first  and  last  nodes  on  the  chosen  path,  the 
user  has  no  anonymity.  Otherwise,  the  user’s  connection  is 
anonymous.  Therefore,  to  calculate  anonymity,  we  need  only 
look  at  the  user’s  distribution  over  entry-and-exit-node  pairs. 

We  would  like  to  find  the  probability  distribution  over 
pairs  of  routers  that  minimizes  the  chance  that  both  members 
of  the  pair  are  selected  by  the  adversary  and  successfully 
compromised.  More  precisely,  we  want  to  find  p  G  A „(n_i)/2, 
that  is,  a  probability  distribution  p  over  pairs  in  R,  that 
minimizes 
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Lor  a  set  S  and  j  <  IS],  we  use  ('Jj  to  represent  the  collection 
of  all  subsets  of  S  of  size  j.  Also,  for  convenience,  we  write 
p({r,s})  as  p(r,s). 


2.2.  The  adversary 

Attackers  of  limited  size  have  long  been  countenanced  in 
the  security  and  fault-tolerance  literature.  While  caution  might 


suggest  designing  against  an  adversary  that  can  compromise 
the  entire  network  as  a  worst  case,  usable  results  are  often 
broken  against  such  an  adversary.  And,  especially  for  large 
diverse  networks,  it  is  typically  unrealistic  to  assume  that  an 
adversary  has  such  reach.  System  and  protocol  designs  have 
been  shown  to  provide  a  guarantee  against  various  types  of 
failure  or  compromise  as  long  as  no  more  than  some  fixed 
threshold  of  nodes  is  compromised  at  any  time,  e.g.,  Byzantine 
fault-tolerance. 

The  particular  partial-network  adversary  from  which  our 
work  derives  is  the  roving  adversary  of  Ostrovsky  and 
Yung  [16].  They  introduced  and  were  motivated  by  the  concept 
of  proactive  security,  in  which  an  adversary  could  compromise 
arbitrary  optimal  sets  of  nodes  given  his  current  information. 
The  roving  adversary  can  potentially  compromise  every  node 
in  the  network,  but  it  can  compromise  no  more  than  a  fixed 
maximum  number  of  nodes  at  any  one  time.  Proactive  security 
is  concerned  with  properties  that  are  resilient  to  such  attacks. 
This  can  be  useful  for  secret  sharing  and  other  distributed  ap¬ 
plications.  The  adversary  model  was  applied  to  onion  routing 
by  Sy verson  et  al.  [4]. 

We  alter  the  basic  roving  adversary  model  in  two  ways. 
First,  to  incorporate  trust  we  add  the  idea  that  an  adversary 
does  not  always  succeed  when  attempting  to  compromise  a 
node.  Second,  the  adversary  selects  only  one  set  to  attack — 
there  is  no  roving.  It  may  be  useful  to  bring  roving  back  in 
for  future  work.  Though  likely  of  limited  use  for  individual 
correlation  attacks  (given  the  typically  short  duration  of  onion¬ 
routing  circuits),  roving  could  allow  the  adversary  to  learn 
various  communication  and  trust  properties  of  the  network  and 
its  users. 

The  adversary  is  assumed  to  have  prior  knowledge  of  the 
distribution  that  is  used  to  pick  a  route,  and  he  uses  this 
knowledge  to  pick  the  set  of  nodes  that  he  will  attempt  to 
compromise.  It  is  realistic  in  many  settings  to  assume  the 
adversary  has  such  knowledge.  For  example,  the  probability 
distributions  may  be  set  in  some  software  or  common  system 
parameters  given  to  a  wide  group  in  which  there  is  at  least 
one  compromised  member.  The  adversary  may  also  be  able  to 
infer  trust  information  from  outside  knowledge  about  the  user. 

2.3.  Trust 

Trust  is  captured  in  our  model  with  the  probability  tj  that  the 
adversary’s  attempt  to  compromise  a  node  fails.  This  notion 
accommodates  several  different  means  by  which  users  in  the 
real  world  might  trust  an  onion  router. 

The  probability  might  represent  the  user’s  estimate  of  how 
likely  it  is  that  the  operator  of  a  given  node  is  trying  to  provide, 
rather  than  break,  anonymity.  It  might  represent  the  user’s  faith 
in  the  security  of  a  given  node  against  outside  attack. 

To  arrive  at  such  conclusions,  the  users  must  rely  on  some 
outside  knowledge.  This  might  include  knowledge  of  the 
organizations  or  individuals  who  run  nodes,  both  knowledge 
of  their  technical  competence  and  the  likelihood  of  themselves 
harboring  ill  intent.  It  also  includes  knowledge  of  computing 


platforms  on  which  a  network  node  is  running,  geopolitical 
information  about  the  node,  knowledge  about  the  hosting  fa¬ 
cility  where  a  node  might  be  housed  or  the  service  provider(s) 
for  its  access  to  the  underlying  communications  network,  etc. 

Admittedly,  it  may  not  be  the  case  that  one  can  realistically 
assign  specific  probabilities  to  each  node  in  the  network 
separately.  It  is  for  this  reason  that  we  consider  in  sections  5 
and  6  restriction  to  just  two  trust  levels.  Even  if  one  cannot  be 
certain  of  the  probability  of  compromise  to  assign  at  one  level 
or  another,  one  may  be  in  a  position  to  know  the  divergence  of 
those  levels.  This  is  particularly  the  case  if  one  is  considering 
nodes  run  by,  e.g.,  security  or  law-enforcement  agencies  of 
friendly  governments  or  their  contractors  vs.  the  rest  of  the 
nodes  on  the  network.  Alternatively  one  can  imagine  sets  of 
nodes  run  by  reputable  human  rights  groups,  NGOs,  or  human 
rights  agencies  of  friendly  governments. 

Unlike  many  other  areas,  network  performance  or  reliability 
reputation  are  not  good  bases  for  trust  for  anonymous  com¬ 
munication.  That  is  because  an  adversary  that  is  focused  on 
learning  as  much  as  possible  about  communication  patterns 
has  incentive  to  run  the  highest  performing,  most  reliable 
nodes  in  the  network.  Thus,  many  of  the  usual  metrics  do 
not  apply.  The  relation  however  is  subtle  because  failure  to 
consider  performance  at  all  would  always  result  in  the  optimal 
choice  being  a  secure  brick  [17], 

2.4.  Anonymity 

We  will  consider  a  user  to  be  anonymous  unless  the  adver¬ 
sary  has  compromised  the  first  and  last  routers  on  his  path. 
This  is  motivated  by  the  correlation  attacks  mentioned  above. 
The  model  does  not  include  some  other  methods  the  adversary 
can  use,  for  example  congestion  attacks  [18],  [19],  denial-of- 
service  attacks  [20],  latency  [21],  or  destination  fingerprint¬ 
ing  [22],  [23],  It  also  does  not  take  into  account  the  total  effect 
of  an  adversary’s  actions  on  a  user’s  anonymity,  such  as  the 
analysis  performed  in  [24].  The  attacks  on  which  we  focus 
are  conceptually  much  simpler  than  these  others,  but  more 
importantly,  as  noted  in  Section  1,  none  of  these  other  attacks 
succeeds  with  as  much  certainty  using  as  little  resources  as 
this  one.  Note  that  such  entry-exit  correlation  attacks  could 
also  be  done  by  the  links  from  source  to  the  entry  onion 
router  on  the  entry  side  and  links  from  the  exit  onion  router  to 
the  destination  on  the  exit  side  (or  by  the  destination  itself). 
For  example,  an  autonomous  system  or  internet  exchange  on 
these  links  could  participate  in  a  correlation  attack  [25],  [26]. 
We  focus,  however,  on  just  the  attack  as  it  can  be  done  by 
network  nodes.  Besides  simplifying  analysis,  this  is  reasonable 
to  model  as  a  practical  attack  given  the  ease  with  which  nodes 
can  be  added  to  the  network. 

Using  this  model,  the  user’s  selection  of  the  pair  constituting 
the  first  and  last  onion  routers  on  his  path  is  the  only  relevant 
factor  in  his  anonymity.  The  user  may  make  this  selection 
using  any  probability  distribution  p  over  pairs  of  routers. 


2.5.  Objective  function 


3.2.  Choosing  a  simple  distribution 


We  set  as  our  objective  function  to  find  the  distribution 
on  pairs  of  routers  that  minimizes  the  probability  of  circuit 
compromise  over  all  possible  sets  that  the  adversary  could 
choose: 


min 

PGA„(„_i)/2 


max 

KQR-.\K\=k 


~22  P{r,  s)crcs. 
{r,«}6(?) 


This  provides  a  worst-case  guarantee,  and  if  the  user  has 
a  distribution  with  a  low  worst-case  value,  he  is  guaranteed 
anonymity  with  high  probability  regardless  of  the  adversary’s 
actions.  As  a  worst-case  criterion,  however,  it  may  direct  the 
user  to  protect  against  adversarial  actions  that  are  unlikely. 
Indeed,  while  the  adversary’s  goal  is  to  find  the  subset  K  C  R 
that  maximizes  his  chance  of  compromise,  it  is  easy  to  see  that 
this  problem  in  general  is  equivalent  to  the  NP-hard  problem 
CLIQUE.  Therefore  the  adversary  may  fail  in  many  cases  to 
actually  select  the  worst-case  set. 


3.  Strategies  for  the  general  case 


A  straightforward  simplification  is  to  consider  restricting 
the  output  to  be  a  distribution  in  which  the  first  and  last 
routers  are  chosen  independently  and  identically  at  random 
and  then  minimizing  the  probability  that  they  are  individually 
compromised. 

Let  pR  be  a  distribution  on  R.  We  consider  the  distribution 
p*R  that  minimizes  the  probability  that  an  adversary  chooses 
and  successfully  compromises  a  single  router: 

c(pr)  =  max  y^pR(r)cr 

k^)^k 

P*r  =  argmin  c(pR) 

Pr 


The  following  theorem  states  that  it  is  always  optimal  either 
to  put  all  the  probability  on  the  most  trusted  router  or  to  set 
the  probabilities  such  that  the  values  CipR(rt)  are  equal  for 
all  n  £  R. 

Theorem  1:  Let  =  min,  Cj.  Let  p ^  put  all  the  probability 
on  the  most  trusted  router: 


Given  arbitrary  trust  values  t\, . . . ,  tn,  we  would  like  to  find 
a  polynomial-time  algorithm  that  takes  as  input  the  trust  values 
and  outputs  an  optimal  or  near-optimal  distribution  p* . 


PR(r ) 


1  if  r  =  rtl 
0  otherwise 


3.1.  Exact  algorithm 


There  is  a  straightforward  formulation  of  this  problem  as  a 
linear  program.  Let  the  set  of  variables  be  ptj,  i,j  £  R.  The 
following  constraints  ensure  that  p  is  a  probability  distribution: 


S{r,s}e(f)  Prs  ~  1 
0  <  Prs  <  1 


for  all  {r,  s}  £ 


We  want  to  find  the  distribution  that  satisfies  the  minimax 
criterion 


min  max 
p  *■£(?) 


5Z  crCsP(r,s). 

UWe(f) 


For  any  fixed  K,  the  sum 

c(p,  K)  =  ^2  P(r,  s)crcs 

{r,.}e(?) 


is  linear  in  p.  Therefore  the  minimax  criterion  minimizes  the 
maximum  of  linear  functions.  We  can  thus  transform  it  into 
a  simple  minimization  problem  by  adding  a  slack  variable  t 
and  some  linear  constraints.  We  force  t  to  be  greater  than  the 
maximum  of  our  linear  functions: 

t  —  c(p,  K)  >  0  for  all  I<  £  (^j 

Then  the  objective  function  is  simply  min  t.  Unfortunately, 
this  linear  program  is  of  exponential  size  (0(nfc))  because  of 
the  constraints  for  each  subset. 


Let  set  probability  inversely  proportional  to  c, : 


P%.{r% )  =  at/c-i 


where  a  =  (£\  l/cf)  1 

Then 


(  c(Pr)  if  cp  <  ka 
\  c(Pr )  otherwise 


Proof:  Suppose  pR  is  an  optimal  distribution.  Sort  the 
routers  so  that  cipR(n)  >  c2pR(r2 )  >  . . .  >  cnpR{rn).  The 
set  K  that  maximizes  crpR(r )  is  then  {ri,r2, . . . ,  ry.}, 

and  the  value  of  pR  is  c(pR)  =  c*Pa(g)- 

Let  l  be  the  largest  index  such  that  cipR(ri )  =  CkPR(rk ). 

If  l  <  n,  we  could  decrease  CipR(ri),  k  <  i  <  l  by  moving 
ecfc/cj  probability  from  r*  to  r;+j.  This  decreases  Cjrj  by  Cfce 
and  increases  ci+ipR(ri+i)  by  ec;+iCfc/cj.  For  small  enough 
e  we  maintain  that  if  i  <  j  then  CipR(r.i )  >  CjpR(rj),  and 
therefore  we  reduce  the  value  c(pR).  Therefore  pR  cannot  be 
optimal,  contradicting  our  assumption. 

Thus  it  must  be  that  l  =  n.  Let  m  be  the  smallest  index  such 
that  cmpR(rm )  =  Cfcprj(rfe).  Assume  that  pR  is  an  optimal 
distribution  that  has  the  smallest  m  possible. 

If  to  =  1,  we  are  in  the  case  that  cipR(ri )  =  CjpR(rj )  for 
1  <  i,j  <  n.  This  is  the  distribution  p2R. 

Suppose  to  >  1.  If  pR{rm)  =  0,  then  c(pR)  = 
Y^T=\l  ciPR{ri)-  Let  =  min.;  ct.  Because  all  of  the  proba¬ 
bility  is  contained  in  a  set  that  the  adversary  can  completely 
select,  we  do  not  increase  c(pR)  by  moving  all  the  probability 


to  rM: 


(r,  r)  G  R  x  R.  Let  p  be  a  distribution  on  R  x  R.  Then  let 


771—1 

c(pr)  =  c*P«(r*) 

1=1 

771—1 

>  X!  CM^fl(r*) 

1=1 

= 

is  equal  to  c(p}j). 

Now  consider  the  case  that  pR(rm )  >  0.  Recall  that 
ciPfl(ri)  =  CjpR{rj)  for  all  pairs  r^r,-,  in  the  set  S  = 
{r,;,  rn  <  i  <  n}.  Consider  moving  probability  between  rm_i 
and  5  in  a  way  that  maintains  the  equality  of  c,pfl(r,)  for 
r,  G  S.  This  can  be  achieved  by  setting  the  probability  of 
t'm—l  to 

p'R{rm_uf)  =  pR(rm_  i)  +  t 

and  the  probability  of  r-j  G  S'  to 

For  small  enough  values  of  t,  this  preserves  the  property  that 
if  i  >  j  then  Cip'R(r.i,t)  <  Cjp'R(rj,t).  Therefore  c(p'R )  = 
ciP'R(riit)-  The  fact  that  p'R  is  linear  in  t  makes  c(p’R) 
also  linear  in  t  for  small  enough  values  of  t. 

If  Dtc(p'R)\t=o  >  0,  then  for  t  <  0  large  enough  c(p'R) 
doesn’t  increase.  This  corresponds  to  moving  probability  from 
rm_  i  to  S,  and  the  smallest  t  that  maintains  the  ordering 
by  ciP'R(ri)  results  in  cm_ip'fl(rm_i)  =  cmp'R(rm).  This 
contradicts  the  assumption  about  the  minimality  of  the  index 
m. 

If  Dtc(p'R)  |t=0  <  0,  then  for  t  >  0  small  enough  c(p'R) 
doesn’t  increase.  This  corresponds  to  moving  probability  from 

S  to  r m _ i .  In  fact,  no  positive  value  of  t  increases  c(p'R). 

This  is  because  setting  t  >  0  decreases  the  probability  of  all 
Ti,  i  >  k,  and  only  increases  the  probability  of  rTO_ \ ,  to  <  k , 
and  thus  preserves  the  fact  that  c(p'R)  =  t). 

Therefore  we  can  increase  t  until  Cip'R(ri)  =  0  for  all  r,;  G  S. 
This  puts  us  in  the  case  where  p'R(rm)  =  0,  which  we  have 
already  shown  implies  that  c(p'R )  >  c(pR). 

Thus  we  have  shown  that  either  p R  or  p2R  is  an  optimal 
distribution.  c(pR)  =  C\  and  c(p2R )  =  ha.  Therefore,  if  C\  < 
ka,  c(p*R)  =  c{p\ j),  and  otherwise  c(p*R)  =  c(pR).  □ 

We  might  hope  that  the  product  distributions  pR  x  pR  and 
P2r  x  Pr  over  x  i?  are  good  approximations  to  an  optimal 
distribution  p*.  However,  this  is  not  the  case,  and  we  can  find 
inputs  such  that  c(p‘R) /c(p*),  i  G  {1,2},  is  arbitrarily  high. 
In  fact,  we  can  show  this  for  slightly  improved  distributions 
p1  and  p2  over  ({}). 

Notice  that  plR  x  pR,  i  G  {1,2},  puts  positive  probability 
on  the  user  choosing  the  same  router  twice.  The  problem  as 
formulated  in  Section  2  allows  distributions  only  over  distinct 
pairs  in  ({}).  This  doesn’t  affect  the  optimum,  however.  There 
is  always  an  optimal  distribution  that  puts  zero  probability  on 


'(r  s)  =  I  °  if  r  =  s 

^  ^  ’ S  {  p(r,  s)  +  qrs  otherwise 

where  for  all  r  G  R,  J2s^r  9 rs  =  P(r-  r). 

Lemma  2:  c{p')  <  c{p)  □ 

Now  assume  that  Ci  <  <  . . .  <  cn  and  consider  two 

distributions  over  ({}): 

i ,  x  f  1  if  r  =  Cl  A  s  =  c2 
P(r’s)  =  (  0  otherwise 

and 

V  [r,  s)  =  - 

crcs 

where  a  =  1/(cr-c5))  •  By  Lemma  2  cip1)  < 

c(pR)  and  c(p2)  <  c(p2R). 

Now  let  In  =  (ci, . . . ,  c„,  k)  be  a  problem  instance  that,  as 
n  grows,  satisfies 

1)  ci  =  0(l/n). 

2)  C2  >  c  for  some  constant  c  G  (0, 1). 

3)  k  =  o(n) 

4)  k  =  w(l) 

For  large  enough  n,  Tn  has  an  optimal  value  that  is 
arbitrarily  smaller  than  the  values  achieved  by  p1  and  p2.  Let 
c(I„,p)  be  the  value  of  In  under  distribution  p. 

Theorem  J: 

cil^p1)  /  c(ln,p*)  =  fl(”)  (1) 

C(ln,p2)/C(ln,p*)  =  Cl(k)  (2) 

Proof:  The  following  distribution  achieves  the  ratios  in 
Eqs.  1  and  2.  Let 

3/  x  /  if  r  =  ri 

p  (r,S)=< 

{  0  otherwise 

where  a  =  l/(cici))  1-  This  distribution  puts  weight 

on  all  distinct  pairs  that  include  n.  It  represents  a  middle 
approach  between  putting  all  the  probability  on  the  lightest 
pair,  as  p1  does,  and  spreading  the  probability  over  all  pairs, 
as  p2  does.  The  optimal  distribution  for  each  In  only  has 
higher  ratios  with  p1  and  p2  than  p3  does. 

The  ratio  between  p1  and  p3  is 

C{ln,pl)  _  _ C1C2 _ 

c(Xn,p3)  (k  -  1)1  (X:=2  l/(ci Ci)) 

>  (1  +  c2(n  -  2)/cn)/(fc  -  1) 


The  ratio  between  p2  and  p3  is 

c(ln,p2)  _  (2)  (Ei#  l/(c*Cj-)) 

(fc-l)/(E?=2l/(dCi)) 
k  /,  ^2,2<i<j<n  V(cic.?')  \ 

=  H1  +  C1  SlUVc  j 

a  *M(sHr 

=  Q(fc). 


(3) 

(4) 

(5) 

(6) 


In  Eq.  5,  ^"_2  Vc*  is  bounded  by  n  because  c*  >  c,  i  >  1. 
The  last  line  then  follows  because  ci  =  0(l/n).  □ 

Intuitively,  the  reason  p1  does  arbitrarily  worse  than  p3  is 
that  it  doesn’t  take  advantage  of  an  adversary  of  size  o(n)  by 
putting  probability  on  Q(n)  pairs,  while  p2  does  arbitrarily 
worse  than  p3  because  it  puts  probability  on  pairs 
i,j  >  1,  that  have  fi(n)  times  higher  probability  of  being 
successfully  compromised  than  pairs  including  n. 


4.  When  pairing  off,  trust  is  everything 

Allowing  arbitrary  trust  values  may  be  unnecessarily  gen¬ 
eral.  Users  are  unlikely  to  have  precise  knowledge  of  the 
probability  of  compromise  for  each  onion  router  in  the  net¬ 
work.  Instead,  they  seem  more  likely  to  have  a  few  classes 
of  trust  into  which  they  can  partition  the  routers,  or  to  have 
detailed  knowledge  about  only  a  small  number  of  routers. 
This  fact  may  help  us  deal  with  the  apparent  computational 
intractability  of  the  general  problem.  Also,  the  potentially 
complicated  optima  that  result  from  arbitrary  trust  values  may 
not  satisfy  other  criteria  for  path-selection  strategies  that  our 
problem  formulation  does  not  include.  For  example,  we  may 
want  the  number  of  possible  optimal  strategies  to  be  small  so 
users  share  their  behavior  with  many  others,  or  we  may  want 
the  strategies  to  be  robust  to  small  changes  in  trust  values. 

Therefore,  we  now  consider  the  case  that  there  are  only  two 
trust  values.  We  refer  to  the  nodes  with  higher  trust  as  the 
trusted  set,  and  nodes  with  lower  trust  as  the  untrusted  set. 
This  case  is  simple  yet  results  in  non-obvious  conclusions,  and 
also  still  provides  practical  advice  to  users. 

In  Section  5  we  show  that,  when  there  are  only  two  trust 
values,  there  are  three  strategies  that  are  potentially  optimal. 
But  first  we  give  here  a  lemma  that  allows  us  to  consider  only 
distributions  that  treat  the  routers  within  a  trust  set  identically. 
Note  that  this  lemma  holds  for  general  trust  values. 

Lemma  4:  Let  U  be  a  set  of  routers  with  identical  trust 
values  c,  where  \U\  =  m.  Let  V  be  the  rest  of  the  routers, 
where  \V\  =  n.  Then  the  set  of  routers  is  R  =  U  U  V.  There 
exists  an  optimal  distribution  p  in  which  the  following  hold: 

1)  For  all  {u,  v},  {u>,  x}  €  (^),  p(u,  v)  =  p(w,  x). 

2)  For  all  v  £  V,  u,w  £  U,  p(v,  u)  =  p(v,  w). 

Proof:  Consider  some  distribution  over  pairs  p  :  (^)  — » 
[0,1],  «}e(fl)  f(r’ s)  =  1-  Consider  any  subset  S  C  V. 

Let  Xs  be  a  subset  chosen  randomly  from  all  subsets  X  of 


size  k  such  that  X  D  V  =  S.  Let  j  =  k  —  |.5'|  be  the  size  of 
Xs  D  U.  Let  c(p.  K)  be  the  probability  of  compromise  under 
p,  given  that  set  K  is  chosen  by  the  adversary.  That  is. 


c(p,K)  =  ^2  p{r,s)crcs 

{r,»}e(?) 

We  can  calculate  the  expected  probability  of  compromise 
of  Xs  as  follows: 


E[c(p,Xs)] 


=  < 


=  < 


-1 


E 


E  p{t,u)c2+ 

{*>“}e(  2) 

y  p(u,v)c-  cv+ 

uGT,veS 

E  p(v’w) 

{v,w}e(s2) 


)cv  cu 


-1 


-1 


TO  —  2 
J-2 

TO  —  1 

3  ~  1 


;  E  p(t>u)+ 

p(v,u)cv+ 


v£S,u£U 

E  p(v,w)cvcw 
{  {vMe(f) 

f  j{j  ~  l)c2 

1  u  ;  E  p(*.«)+ 


=  < 


(7) 


(8) 


(9) 


to(to  —  1) 

—  E  p{v,u)c 

ves,ueu 

E  p{v,w)cvcw 

There  must  be  some  set  T  C  U  of  size  j  such  that  c(p.  S  U 
T)  is  at  least  the  expectation  expressed  in  Eq.  9.  If  we  modify  p 
to  treat  all  nodes  in  U  the  same,  and  thus  satisfy  the  conditions 
in  the  statement  of  the  lemma,  every  such  T  achieves  the  value 
in  Eq.  9.  Let  p'  be  this  modified  distribution: 


r  D{t,u}6(^)P(*»«)/(T)  if  {as}  e  (2) 

v’(r  s')  =  J  T,ueuP(r’  u)/m  if  r  £  V,  s  £  U 
I  E U£uP(s’u)/m  if  r£U,s£V 

{  p(r,  s)  if  {r,s}  £  (3) 

The  probability  of  compromise  for  any  value  S  U  T  of  Xs 


c(p' ,  S  LIT)  = 


3  \  (  m 
2  {  2 


E  P(t,u)c2+ 

{‘,«}e(  2) 

EE  p(v,  u)cvc+ 

vgs ueu 
E  p(v,w)cvcw. 

{u,ti;}e(f) 


3_ 

m 


(10) 


Equations  9  and  10  are  equal,  and  therefore 

ma,xT.\T\—j  c(p' ,  S  U  T)  <  maxT.|T|  =jc(p,S  U  T).  Be¬ 
cause  this  holds  for  all  S  C  V,  maxx:\K\=k  c(p' ,  K)  < 
maxK.\K\=k  c(p,  K).  □ 


5.  Choosing  pairs  to  avoid  compromise 

“ Dear  Abby,  Dear  Abby,  Well  I  never  thought,  that  me 
and  my  girlfriend  would  ever  get  caught.” 

John  Prine  —  Lyrics  to  “Dear  Abby” 


Now  we  analyze  optimal  distributions  for  selecting  pairs 
when  there  are  two  trust  values  in  the  network,  c\  and  c-i , 
with  Ci  <  C2-  We  show  that,  in  this  case,  one  of  the  following 
strategies  is  always  optimal:  (i)  choose  a  pair  of  trusted  routers 
uniformly  at  random,  (if)  choose  pairs  such  that  p(r,s)crcs  is 
equal  for  all  {r,  s}  £  (^),  or  (Hi)  choose  only  fully-trusted  or 
fully-untrusted  pairs  such  that  the  adversary  has  no  advantage 
in  attacking  either  trusted  or  untrusted  routers.  Distribution 
(i),  corresponds  to  distribution  p2,  described  in  Section  3.2, 
with  the  difference  that  (i)  spreads  probability  to  all  the  most- 
trusted  routers  and  not  just  two.  Distribution  (17)  corresponds 
to  distribution  p1  of  Section  3.2.  Distribution  (Hi)  shows  that 
non-obvious  distributions  can  exist  even  when  the  trust  values 
are  very  restricted. 

Let  U  be  the  trusted  set,  with  trust  value  ci,  \U\  =  to.  Let 
V  be  the  untrusted  set,  with  trust  value  C2,  \V\  =  n. 

Theorem  5:  Let  vo  =  ma x(k  —  to,  0)  and  iq  =  ma x(k  — 
n,  0).  Then  let  go  =  ^oLo-.L  and  gi  =  Vl A1, .  One  of  the 
following  is  an  optimal  distribution: 


p(r,  s ) 


_ (£2f _ 

(™)(C2)2  +  (mra)(cic2)  +  (2)(ci)2 

if  {r,s}  €  (2) 

_ (cic2) _ 

<  (™)(c2)2  +  (mra)(cic2)  +  (2)(ci)2 

if  (r,  s)  £  U  x  V  U  V  x  U 

_ _ 

(™)(C2)2  +  (mra)(cic2)  +  (2)(ci)2 

if  {r,s}e  Q 


p(r,  s ) 


(-)-1  if  {r,s}  G  (u2) 
0  otherwise 


(11) 


(12) 


p(r,  s) 


(m\  1  cl(l-3o) _ 

\2>  c2(l-ffl)+c  l(l-firo) 

if  {r,  s}  £  (2) 

(n\  -1  Cj(l-gi) 

<  \2>  c\  (l-gi)+c|(l-g0) 

if  {r,s}  €  (2) 

0 

if  (r,  s)  G  U  x  V  U  V  x  U 


(13) 


Proof:  Let  p  be  some  distribution  on  ((f).  By  Lemma  4, 
we  can  assume  that  p(t,u )  =  p(x,y),  if  t,u,x,y  £  U. 
Similarly,  p(v,w)  =  p(x,y ),  if  v,w,x,y  £  V.  Again  using 


Lemma  4,  p(u,v)  =  p(u,y)  =  p(x,y ),  if  u,x  £  U  and 

v,y  £  V.  This  shows  that  all  pairs  intersecting  both  U  and  V 
have  equal  probability. 

If  k  >=  n  +  to,  the  adversary  can  try  to  compromise  all 
routers.  Thus  the  best  strategy  is  to  only  choose  pairs  from  the 
trusted  set  U,  as  described  in  Eq.  12.  From  now  on,  assume 
that  k  <  n  +  m. 

Let  Kj  C  l{  he  of  size  k  and  have  an  intersection  with 
U  of  size  j.  The  value  of  j  alone  determines  the  probability 
of  compromise  for  Kj,  because  it  determines  the  number  of 
pairs  in  (^),  U  x  V,  and  ('^).  As  we  have  just  shown,  the 
exact  pairs  included  do  not  matter  because  their  probability  is 
determined  by  their  class.  Let  p1  =  p(£,  u),  P2  = 

T,(u,v)gUxvP(u’v)-  and  Ps  =  T,{v,w}e(v2)P(v'w^  Then  we 

can  say  that 


c(p,Kj)  = 


(14) 


To  narrow  the  set  of  possible  optimal  assignments  of  pi, 
P2,  and  P3,  we  will  first  consider  the  effect  of  varying  p2- 
The  quantity  we  want  to  minimize  is  the  maximum  value  of 
Eq.  14.  Equation  14  is  a  quadratic  function  of  j.  Assume  that 
the  second  derivative  is  non-zero.  If  it  is  zero  it  is  easy  to  show 
that  the  distribution  p  is  the  distribution  described  in  Eq.  1 1 . 
Otherwise,  we  will  show  that  we  can  improve  the  maximum 
by  changing  p2-  We  can  find  the  local  extremum  by  taking  the 
derivative  of  Eq.  14  and  setting  it  to  zero.  Solving  for  j  gives 


J  = 


n(n  —  l)pic2  —  k(m  —  l)(n  —  l)p2CiC2+ 
(2  k  —  1  )to(to  —  l)p3  c2 
2 (n(n  —  l)picf  -  (to  -  1  )(n  -  l)p2Cic2+ 
to(to  —  l)p3c|) 


(15) 


Unfortunately,  j*  must  be  integral  to  represent  a  worst-case 
subset,  and  therefore  we  cannot  just  substitute  the  expression 
in  Eq.  15  into  Eq.  14  and  solve  for  the  optimal  value  of 
P2-  There  may  in  fact  be  two  values  of  j  that  are  maxima, 
and  varying  P2  could  possibly  increase  the  value  at  one  while 
decreasing  the  value  at  other.  Therefore,  while  varying  P2,  we 
simultaneously  vary  pi  and  p:i  to  maintain  the  local  extremum 
of  Eq.  14  at  j*.  Then  both  possible  maxima  are  changed  in 
the  same  way. 

By  observing  that  pz  =  1  —  pi  —  P2  in  Eq.  15  we  can  see 
that  pi  and  P2  are  linearly  related.  Solve  this  for  p\  and  call 
the  expression  p\.  Now  let  j'  £  N,  0  <  /  <  k,  be  any  value 
that  maximizes  c(p,Kj>).  j'  is  either  an  endpoint  of  [0,  At]  or 
a  closest  integer  to  a  local  maximum.  Substitute  p\  for  p\  in 
c(p,Kj/ ),  and  the  result  is  a  linear  function  of  p2-  Therefore 
either  increasing  or  decreasing  P2  does  not  increase  c(p,  Kj'). 
Suppose  we  move  P2  in  the  direction  that  decreases  c(p,  Kj'). 
Because  we  vary  p[  (and  pf)  with  P2  in  such  a  way  as  to 
maintain  the  extremum  of  the  parabola  at  the  same  value  j*, 
j'  is  maintained  as  a  maximum  of  c(p,Kj)  as  long  as  the 
second  derivative  of  c(p,Kj')  remains  non-zero. 


The  process  of  changing  p2  stops  when  (i)  the  second 
derivative  of  c(p,Kj>)  becomes  zero,  ( ii )  p2  reaches  zero,  (Hi) 
p3  reaches  zero,  or  (iv)  p\  reaches  zero. 

Case  (i):  In  this  case,  all  sets  have  the  same  value.  This  is 
only  satisfied  when  the  distribution  is  that  of  Eq.  11. 

Case  (ii):  In  this  case,  all  probability  is  in  pairs  of  two 
trusted  or  two  untrusted  nodes.  Therefore  the  maximizing 
value  of  j  must  be  when  it  is  as  small  as  possible  or  as  large 
as  possible,  i.e.,  at  max(0,  k  —  n)  or  max(fc,  to).  If  the  former 
case  is  strictly  larger,  we  can  reduce  it  by  decreasing  p3  and 
increasing  p-\ .  If  the  latter  case  is  strictly  larger,  we  can  do 
the  reverse.  Therefore  the  value  in  these  two  cases  must  be 
equal.  To  find  the  probabilities  pi  and  p3  that  satisfy  this,  let 
p3  =  1  —  pi,  vq  =  max(/c  —  m,  0),  and  v\  =  max(fc  —  n,0). 
Then  setting  them  equal  and  solving  for  p\  yields  the  condition 


Pi  = 


=?(*- 


( 1  _  ^o(«o-l)A 

\L  n(n- 1)  ) 


m(m—  1) 


+  Cr 


( 1  _ 

n(n-l)  ) 


(16) 


Equation  16  then  gives  us  the  probability  for  each  pair  in  (r2) 
and  (^),  and  this  is  the  same  as  the  distribution  in  Eq.  13. 

Case  (Hi):  In  this  case,  p3  =  0.  Then  if  p2  =  0  also,  we  put 
all  probability  in  the  trusted  nodes,  which  is  the  distribution 
described  in  Eq.  12. 

Now  suppose  that  p2  >  0.  We  will  consider  moving 
probability  between  p3,  p2,  and  p3  to  show  that  this  case  isn’t 
possible.  Let  p2  =  1  —  p3  in  Eq.  14  and  call  this  c3 (p,Kj). 
Then  use  this  to  consider  trading  off  p\  and  p2  to  find  the 
optimal  assignment.  As  p3  varies,  the  change  in  the  value  of 
the  set  Kj  is 


DPlc3(p,  Kj)  =  — 


(j  ~  l)ci  _  (k  -  j)c2 
to  —  1  n 


(17) 


Next,  let  p2  =  1  —  Pi  —  p3  in  Eq.  14  and  call  this  c±(p,  Kj). 
Moving  p2  to  p3  results  in  a  change  of 


Dp3C4(p,  Kj)  — 


(k  ~  j)c2 


(k-j-  1  )c2 
n  —  1 


3  ci 
TO 


(18) 


Let  j*  £  argmaXj c(p,  Kj)  be  the  largest  integer  that  is  a 
maximum  of  c(p,  Kj). 

We  observe  that  Kj)  <  0.  If  not,  we  would  have 

j*  =  k.  Then  Eq.  17  shows  that  decreasing  p-\  would  decrease 
the  value  at  j *,  and  p3  is  non-zero  so  we  could  do  this  because, 
at  pi  =  0,  c(p,Kj)  is  largest  at  j*  =  \k/ 2]  ^  k.  Such  a 
decrease  would  contradict  the  optimality  of  j*. 

Now,  because  D^c(p,Kj)  <  0,  there  may  be  some  j  £ 
argmax j c(p,  Kj)  such  that  j  <  j*.  There  are  four  cases 
to  consider  here:  (1)  DPlc3(p,  Kj.),  DPlc3(p,K -.)  <  0,  (2) 
DPlc3(p,  Kj.),  DPlc3(p,  Kj)  >  0,  (3)  DPlc3(p,Kj.)  >  0 
and  Dpic3(p,  Kj)  <  0,  and  (4)  Dpic3(p,  Kj.)  <  0  and 
DPlc3(p,  Kj)  >  0. 

In  case  (1),  we  could  decrease  c  at  j*  and  j  by  moving 
probability  from  p2  to  p  i .  This  would  contradict  the  optimality 
of  p. 


For  case  (2),  we  use  the  fact  that 

0  <a<b=>j — p<r-  (19) 

o—l  b 


Inequality  19  implies  that  if  DPlc3(p,I\j)  >  0,  then 

DP3C4,(p,  Kj)  <  0.  Therefore  we  could  decrease  c  at  j*  and 
j  by  moving  probability  from  p2  to  p3,  contradicting  the 
optimality  of  p. 

For  case  (3),  we  show  that  we  can  still  decrease  both  j* 
and  j  while  maintaining  their  equality,  and  hence  maximality, 
by  moving  some  probability  from  p2  to  p3  and  p3.  Moving 
probability  from  p2  to  p3  increases  the  value  at  j*  and 
decreases  the  value  at  j.  This  implies,  by  Inequality  19,  that 
moving  probability  from  p2  to  p3  decreases  the  value  at  j*. 
Furthermore,  can  assume  that  it  increases  it  at  j  because  oth¬ 
erwise  we  could  decrease  both  j*  and  j  by  moving  probability 
directly  from  p2  to  p3. 

For  j*  and  j  to  be  integral  maxima  of  Eq.  14,  it  must  be 
that  j*  —  1  =  j.  Also,  solving  Dpic3  =  DP3Ci  for  j,  we 
find  that  at  this  point,  Dpic3  <  0  and  l)p, c\  <  0.  Therefore, 
j*  is  at  most  one  more  than  this  point.  We  can  observe  by 
calculation  that  within  this  range  the  ratio  |79piC3/i9p3C4|  is 
less  than  one.  Similarly,  j  is  at  most  one  less  than  this  point, 
and  within  this  range  the  ratio  |  DP1  c3/DP3  C4 1  is  greater  than 
one. 

This  shows  that  we  can  move  probability  from  p2  to  p-\  and 
p3  at  rates  that  decrease  the  value  at  both  j*  and  j.  Because 
they  were  maximum,  we  have  lowered  the  value  of  the  worst- 
case  subset  Kj.,  contradicting  the  optimality  of  p. 

Case  (4)  is  not  possible  because  D(j[D.pic2\  >  0  and 
DPlc3(p,K0)  =  0. 

Case  (iv):  In  this  case,  if  p-2  >  0,  the  case  is  symmetric  to 
the  case  of  p\,p2  >  0  and  we  can  apply  the  same  argument. 
Therefore  assume  that  p2  =  0,  which  implies  that  p3  =  1.  It 
must  be  that  m  <  n  because  otherwise  we  could  set  p\  =  1 
and  p3  —  0  and  improve  the  worst  case.  But  now  consider 
moving  some  probability  from  p3  to  p\ .  Let  p3  =  1  —  p3  in 
Eq.  14  and  call  this  C3.  The  change  in  the  worst-case  case 
subset,  Kn,  is 


DP3c3(p,Kn)  Co 


(k  —  n)(k  —  n  —  l)cf 
m(m  —  1) 


This  must  be  greater  than  zero  because  c2  >  Ci  and  k—n  <  to. 
Therefore  decreasing  p3  decreases  c(p,I\n),  contradicting  the 
optimality  of  p.  □ 


6.  Choosing  a  distribution 

We  have  shown  that  there  are  three  possibilities  for  an 
optimal  strategy  in  choosing  nodes  that  will  minimize  the 
best  chances  a  fixed  size  adversary  has  to  compromise  both 
endpoints  of  an  onion-routing  circuit  when  a  trusted  set  is 
available.  To  choose  a  distribution,  a  user  can  simply  calculate 
the  probability  of  compromise  in  each  case  and  use  the 
distribution  with  the  smallest  result.  The  optimal  distribution 
depends  on  all  the  variables  in  the  system:  the  trust  values. 


the  size  of  the  trusted  set,  the  size  of  the  untrusted  set,  and 
the  size  of  the  adversary. 

In  the  first  distribution,  described  in  Eq.  11,  the  user  chooses 
pairs  {i,j}  to  make  p(i,j)ciCj  equal  for  all  i,j.  This  is  a 
random  choice  of  pairs  weighted  by  the  trust  in  the  pair.  The 
probability  of  compromise  under  this  strategy  is 


Ci  = 


k{k  —  l)cfc% 


m(m  —  1  )c|  +  2mnc\C2  +  n{n  —  1  )cf 


(20) 


This  strategy  is  optimal  when  the  network  is  large  compared 
to  the  adversary,  and  so  it  benefits  the  user  to  spread  out 
his  distribution,  even  to  less-trusted  routers.  It  is  also  optimal 
when  the  trust  values  are  close. 

In  the  second  distribution,  described  in  Eq  12,  the  user 
randomly  selects  pairs  from  within  the  trusted  set.  This  can 
only  be  optimal  if  the  size  k  of  the  adversary  is  larger  than  the 
size  to  of  the  trusted  set.  Otherwise,  the  user  could  decrease 
the  probability  of  compromise  by  putting  some  of  the  pair- 
selection  distribution  on  pairs  outside  the  trusted  set.  Doing  so 
would  not  change  the  adversary’s  worst-case  subset,  which  is 
entirely  in  the  trusted  set,  but  it  would  decrease  the  probability 
that  those  nodes  are  chose  by  the  user.  The  probability  of 
compromise,  assuming  k  >  m,  is  simply 


C2  =  c 


2 

1- 


(21) 


We  can  compare  this  to  Eq.  20  and  observe  that  ci  can  always 
be  made  small  enough  to  make  this  value  less  than  the  value 
of  the  first  strategy.  These  equations  also  show  that  choosing 
only  trusted  nodes  will  be  optimal  when  k  is  large  relative  to 
the  network.  When  k  =  m  +  n,  this  case  is  always  optimal. 

The  third  distribution,  given  in  Eq.  13,  is  perhaps  the 
least  obvious  one,  and  arises  as  a  result  of  the  fact  that 
users  choose  their  distribution  over  pairs,  while  the  adversary 
attacks  individual  routers.  Let  vq  =  max(fc  —  to,  0)  and 
Ui  =  max(fc  —  n,  0).  Then  let  go  =  Vo(v3  —  l)/(n(n  —  1)) 
and  g\  =  V\{v\  —  1  )/(to(to  —  1)).  In  general,  the  probability 
of  compromise  under  this  distribution  is 


C3 


clc2(l  9o) _ I 

c((i-gi)+ci{l-g0)  + 

Vo  (Vo  —  l)cl  c2  ( 1  — ffl  ) 
n(n-l)(cj  (1  —  £/i)+c|(l  —  go)) 

vi(vi-l)cic%(l- g0) 
m(m-l)(c^(l-gi)+c^(l-g0)) 

cl(t  — 9i)+cl(l— 3o) 


(22) 


(23) 


To  make  some  sense  of  this,  it  is  helpful  to  consider  some 
special  cases.  When  n  >  k,m  <  k,  the  probability  of 
compromise  is 

=  k{k  -  1  )c\c\ 

3  n(n  -  l)(cl  +  c%(l  -  g0)) 

We  can  see  that  there  is  some  large  m  such  that  C3  is  less 
than  C>  and  C\ .  What  happens  in  this  case  is  that  there  are 
large  number  of  routers,  and  the  user  wants  to  spread  his 
probability  among  them.  However,  because  k  >  n,  spreading 
the  probability  to  all  cross-pairs  (one  trusted  and  one  untrusted 


router)  means  that  an  adversary  selecting  as  many  untrusted 
routers  as  possible  gains  ( k  —  n)n/(mn)  =  ( k  —  n)/m  of  the 
probability  on  such  pairs.  On  the  other  hand,  when  spreading 
to  trusted  pairs  ( k  —  n)(k  —  n—  1)/ (m(?n  —  1))  of  the  shifted 
probability  is  captured  by  the  adversary.  The  latter  shrinks 
quadratically  with  to  while  the  former  shrinks  only  linearly.  At 
some  point  it  will  be  beneficial  to  spread  probability  to  trusted 
pairs  but  not  to  cross-pairs.  The  case  when  to  >  k,n  <  k  is 
similar.  This  distribution  is  never  optimal  when  m  >  k  and 
n  >  k,  because  the  worst-case  sets  are  contained  within  U  and 
V,  and  so  spreading  probability  to  the  cross-pairs  some  small 
amount  will  always  decrease  the  probability  of  compromise. 

7.  Conclusion  and  future  work 

We  have  set  out  a  simple  model  for  reasoning  about  using 
trust  for  routing  in  onion-routing  anonymity  networks.  This 
model  modifies  the  traditional  roving  adversary  by  adding 
trust;  so  the  success  of  the  adversary  in  attacking  nodes  he 
chooses  becomes  probabilistic  rather  than  certain.  Trust  is  thus 
defined  as  the  probability  that  the  adversary  fails  in  attempting 
to  compromise  a  node.  We  used  this  model  to  look  at  end-to- 
end  correlation  attacks  by  nodes  in  onion-routing  networks. 
We  expect  this  model  to  be  useful  for  future  research  by 
ourselves  and  others. 

We  used  our  model  to  show  optimal  strategies  for  choosing 
routes  when  trust  information  is  available.  The  strategies  are 
optimal  in  that  they  minimize  the  maximum  probability  a 
correlating  adversary  has  for  linking  source  to  destination. 

In  the  general  case,  where  there  is  an  arbitrary  number  of 
trust  levels,  we  presented  an  algorithm  to  calculate  an  optimal 
distribution,  an  algorithm  which  runs  in  time  exponential  in 
the  size  of  the  adversary.  We  described  a  natural  simplification 
and  approximation  of  this,  which  permitted  the  calculation  of 
optimal  strategies  on  selection  of  individual  nodes,  but  we 
also  showed  that  the  approximation  based  on  this  is  arbitrarily 
worse  than  optimal  distributions  on  pairs  of  nodes. 

We  then  turned  to  consider  a  practical  approach  by  limiting 
ourselves  to  two  trust  levels.  In  addition  to  being  computation¬ 
ally  tractable,  users  of  deployed  networks  are  more  likely  to 
be  capable  in  practice  of  dividing  routers  into  these  levels.  We 
described  three  distributions  for  this  case  and  proved  that  one 
of  them  must  be  optimal.  Lastly,  we  discussed  determining  in 
practice  when  one  of  the  three  distributions  is  optimal  based 
on  the  values  of  the  system  variables:  trust  values,  size  of  the 
trusted  and  untrusted  sets,  and  the  size  of  the  adversary. 

The  results  we  have  produced  are  more  complicated  than  we 
expected,  both  to  describe  and  to  prove.  It  will  be  interesting  to 
examine  larger  questions  of  trust  in  future  work:  What  happens 
when  a  network  is  shared  between  entities  that  do  not  share 
trust  levels  placed  on  the  nodes?  What  is  the  impact  of  trust 
on  profiling  in  this  case?  What  is  the  effect  of  learning  if  we 
add  time  to  the  model  and  allow  the  adversary  to  rove  rather 
than  conducting  a  one-off  attack? 

Though  our  motivation  is  onion  routing,  our  analysis  applies 
to  any  network  where  it  would  be  beneficial  to  reduce  the 


chance  of  circuit-endpoint  threats  by  choosing  circuits  with 
less  vulnerable  endpoints.  It  clearly  generalizes  to  other  low- 
latency  anonymity  designs,  such  as  Crowds  [21].  It  also 
applies  beyond  networks  for  anonymity  to  other  concerns. 
For  example,  network  endpoints  may  be  able  to  collaborate 
to  cover  up  checksum  or  other  errors  that  might  flag  data- 
integrity  attacks.  And,  capturing  internet  traffic  for  any  kind  of 
analysis  (cryptanalysis,  textual  analysis,  traffic  analysis,  etc.) 
may  be  easier  to  do  or  harder  to  detect  or  both  if  pairs  of  nodes 
are  collaborating  for  route  capture.  Alternatively  they  might 
collaborate  for  unfair  resource  sharing.  Similar  observations 
apply  to  ad-hoc  and  peer-to-peer  networks  and  to  sensor 
networks,  for  which  vulnerability  of  cheap,  low-power,  and 
physically  accessible  nodes  is  a  known  concern.  Going  further, 
our  results  are  not  restricted  in  applicability  to  path  endpoints. 
In  any  setting  in  which  sets  of  principals  can  collaborate 
so  that  a  successfully  compromised  pair  can  conduct  an 
attack  our  results  are  potentially  applicable.  Examining  larger 
numbers  of  nodes  being  attacked  than  just  pairs  is  one  possible 
generalization  of  this  work  that  should  apply  in  many  settings. 
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